Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

PayPal Fixes Trio of Remote-Access Vulnerabilities

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

PayPal has repaired three remote-access vulnerabilities found in different areas of its website, including a cross-site scripting (XSS) flaw on its PayPal Community Forum. All three flaws were submitted to PayPal’s Bug Bounty Program.

Researcher Benjamin Kunz Mejri of Vulnerability-Lab reported the security vulnerabilities to PayPal in September; patches were released in late October according to an advisory posted this week to the Full Disclosure list.

The XSS bug allows only the execution of client-side script and browser cookie hijacking, Mejri told Threatpost in an email. “Client-side forced requests are possible to external targets,” he said, adding this could lead to session hijacking and phishing attacks.

“Normally it should not be possible to inject script code as foldername and replace it with more script code to crash with an unhandled exception,” the advisory said. “Attackers can inject on [the] client side when the exception-handling is bypassed via another validation vulnerability.”

An input validation vulnerability was also discovered on the egreetings Web service of PayPal’s Plaza Web-based application. Plaza is PayPal’s shopping application; an attacker would need to be logged in to be able to send a malicious greeting via PayPal’s outgoing mail server, Merij said. Malicious code could be injected into certain fields in the application and the victim could be subject to session hijacking or persistent Web-based attacks.

Finally, a vulnerability that could enable an attacker to redirect users of PayPal’s content management system–customer, pro or seller accounts—was patched. Attackers can use a client-side request to send users to an external website.

“An attacker can redirect the victim over the original PayPal domain to malware or phishing sites,” Mejri said. “The potential consequence is a stolen PayPal account or external malicious redirects. Mostly users do not watch where the redirection location is when the domain request was processed through the original PayPal community domain.”

PayPal began its bug-bounty program in June. PayPal’s security team rates the severity of submitted vulnerabilities and the company determines payouts. PayPal said only cross-site scripting, cross-site request forgery, SQL injection and authentication bypass flaws are in scope for its program. Researchers must also give PayPal reasonable time to address the flaws in question.

Looks like you are stalking him to animate other people to hate him. He does amazing work for paypal, dell, barracuda networks, facebook and also microsoft. You say he destroy the scene, i say he repairs the scene by excluding useless people like you and evil moneymakers. He will win at the end without using a weapon even if you guys try to force him. I wishthere would be morepeoplelikehim. @severin

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.